firewall.paloalto

Introduction

The tags beginning with firewall.paloalto identify events generated by Palo Alto Networks Firewall.

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define on the Devo Relay. The fourth element is only used in some specific cases.

Technology

Brand

Type

Subtype

firewall

paloalto

config
system
threat
traffic
correlation
hipmatch
url
userid

The tag levels below are only used with firewall.paloalto.config

This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:

v1 - It's the default value, and also used if no value is set at this level. In this case, the parser uses the default fields order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail).
v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null.
v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.

The tag level below is only used with firewall.paloalto.traffic, firewall.paloalto.system and firewall.paloalto.threats

These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef).

Therefore, the valid tags are:

firewall.paloalto.config
firewall.paloalto.config.v1
firewall.paloalto.config.v2t
firewall.paloalto.config.v3
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.correlation
firewall.paloalto.hipmatch
firewall.paloalto.url
firewall.paloalto.userid
firewall.paloalto.traffic.leef
firewall.paloalto.system.leef
firewall.paloalto.threats.leef

For more information, read more about Devo tags.

How is the data sent to Devo?

Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.

You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.

Define the rule using the following values (the port number can be any free port on your relay):

Relay rule 1 - CSV events

Source port → 13004
Source data → ^[^,]+,[^,]+,[^,]+,([^,]+)
Target tag → firewall.paloalto.\\D1
Check the Sent without syslog tag and Stop processing checkboxes

Definying a relay rule with a tag with four levels

If you need to use a relay rule with a tag that includes the fourth level, you must indicate it in the Target tag field. For example, if you need to indicate v2, the target tag would be firewall.paloalto.\\D1.v2

Relay rule 2 - LEEF events

Source port → 13004
Source data → LEEF:(?:[^\|]+\|){4}([^\|]+)\|

If events are sent using Cortex Data Lake, the required regex for this field would be the following: LEEF:(?:[^|]+|){6}.cat=(
Target tag → firewall.paloalto.\\D1.leef
Check the Sent without syslog tag and Stop processing checkboxes

Palo Alto Firewall configuration

In Pan-OS, you will need to create a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions.

If you want to send your Palo Alto firewall events to a Devo relay that resides in a different network, check out the article about sending events to the Devo relay using SSL.

Log samples

The following are sample logs sent to each of the firewall.paloalto tags. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

firewall.paloalto.traffic.leef

2021-03-09 11:39:49.860 localhost=127.0.0.1 firewall.paloalto.traffic.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|TRAFFIC| |TimeReceived=2021-03-09T11:23:14.000000Z   DeviceSN=012001012124   EventID=TRAFFIC cat=end ConfigVersion=9.0   devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195   dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203  Rule=LAN-WAN_AllowAD    usrName="jumpcloud.com\\chuwong"    DestinationUser=    Application=ssl VirtualLocation=vsys1   FromZone=LAN    ToZone=WAN_TIME InboundInterface=ethernet1/4    OutboundInterface=ethernet1/2   LogSetting=Log-Forwarding   SessionID=113464    RepeatCount=    srcPort=56354   dstPort=443 srcPostNATPort=27427    dstPostNATPort=443  proto=tcp   Action=allow    Bytes=8298  srcBytes=3489   dstBytes=4809   totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z    SessionDuration=11  URLCategory=computer-and-internet-info  SequenceNo=887767286    SourceLocation=192.168.0.0-192.168.255.255  DestinationLocation=US  srcPackets=1    dstPackets=11   SessionEndReason=tcp-rst-from-server    DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName=  DeviceName=pan-ml-kl    ActionSource=from-policy    SourceUUID= DestinationUUID=    IMSI=0  IMEI=   ParentSessionID=0   ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A  EndpointAssociationID=0 ChunksTotal=0   ChunksSent=0    ChunksReceived=0    RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be   HTTP2Connection=0   LinkChangeCount=    SDWANPolicyName=    LinkSwitches=   SDWANCluster=   SDWANDeviceType=    SDWANClusterType=   SDWANSite=  DynamicUserGroupName=   X-Forwarded-ForIP=  SourceDeviceCategory=   SourceDeviceProfile=    SourceDeviceModel=  SourceDeviceVendor= SourceDeviceOSFamily=   SourceDeviceOSVersion=  SourceDeviceHost=   SourceDeviceMac=    DestinationDeviceCategory=  DestinationDeviceProfile=   DestinationDeviceModel= DestinationDeviceVendor=    DestinationDeviceOSFamily=  DestinationDeviceOSVersion= DestinationDeviceHost=  DestinationDeviceMac=   ContainerID=    ContainerNameSpace= ContainerName=  SourceEDL=  DestinationEDL= GPHostID=   EndpointSerialNumber=   SourceDynamicAddressGroup=  DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution=    NSSAINetworkSliceType=  NSSAINetworkSliceDifferentiator=    devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ

And this is how the logs would be parsed:

Field	Value	Type	Source field name	Extra fields
eventdate	`2021-03-09 11:39:49.860`	`eventdate`
machine	`localhost`	`str`
future_use_1	`null`	`str`		✓
createdate	`2021-03-09 11:23:02.000`	`timestamp`		✓
timestamp	`2021-03-09 11:23:02.000`	`timestamp`	createdate
recvdate	`2021-03-09 11:23:14.000`	`timestamp`
serial	`012001012124`	`str`
logType	`TRAFFIC`	`str`		✓
subType	`end`	`str`
confVer	`9.0`	`str`		✓
srcIp	`192.168.1.195`	`ip4`
dstIp	`3.232.0.203`	`ip4`
srcXIp	`211.24.95.14`	`ip4`		✓
dstXIp	`3.232.0.203`	`ip4`		✓
srcNatIp	`211.24.95.14`	`ip4`	srcXIp
dstNatIp	`3.232.0.203`	`ip4`	dstXIp
rule	`LAN-WAN_AllowAD`	`str`
srcUser	`"jumpcloud.com\\chuwong"`	`str`
dstUser	`null`	`str`
app	`ssl`	`str`
virtSys	`vsys1`	`str`
srcZone	`LAN`	`str`
dstZone	`WAN_TIME`	`str`
srcIface	`ethernet1/4`	`str`
dstIface	`ethernet1/2`	`str`
logAction	`Log-Forwarding`	`str`
logdate	`null`	`timestamp`		✓
session	`113464`	`str`
repCnt	`null`	`int4`
srcPort	`56354`	`int4`
dstPort	`443`	`int4`
srcXPort	`27427`	`int4`		✓
dstXPort	`443`	`int4`		✓
srcNatPort	`27427`	`int4`	srcXPort
dstNatPort	`443443`	`int4`	dstXPort
flags	`null`	`str`
proto	`tcp`	`str`
action	`allow`	`str`
bytes	`8298`	`int8`
sentBytes	`3489`	`int8`
recvBytes	`4809`	`int8`
pkts	`26`	`int4`
startdate	`2021-03-09 11:22:36.000`	`timestamp`
elapsedTime	`11`	`int8`
category	`computer-and-internet-info`	`str`
seqno	`887767286`	`int8`
srcCountry	`192.168.0.0-192.168.255.255`	`str`
dstCountry	`US`	`str`
cpadding	`null`	`int4`
sentPkts	`1`	`int4`
recvPkts	`11`	`int4`
session_end_reason	`tcp-rst-from-server`	`str`
dg_hier_level_1	`0`	`int4`
dg_hier_level_2	`0`	`int4`
dg_hier_level_3	`0`	`int4`
dg_hier_level_4	`0`	`int4`
vsys_name	`null`	`str`
device_name	`pan-ml-kl`	`str`
action_source	`from-policy`	`str`
srcVMuuid	`null`	`str`
dstVMuuid	`null`	`str`
tunnelIDimsi	`0`	`str`
monitorTagIMEI	`null`	`str`
parentSessID	`0`	`int4`
parentStartTime	`1970-01-01 00:00:00.000`	`timestamp`
tunnel	`N/A`	`str`
sctpAssociationID	`0`	`int4`
sctpChunks	`0`	`int8`
sctpChunksSent	`0`	`int8`
sctpChunksReceived	`0`	`int8`
uuidForRule	`e97a0d84-24e4-4556-ae9d-32dc0fbd59be`	`str`
http2Connection	`0`	`str`
client		`str`	vclient	✓
hostchain	`localhost=127.0.0.1`	`str`		✓
tag	`firewall.paloalto.traffic.leef`	`str`		✓
rawMessage	LEEF:2.0\|Palo Alto Networks\|LF\|2.0\|TRAFFIC\| \|TimeReceived=2021-03-09T11:23:14.000000Z DeviceSN=012001012124 EventID=TRAFFIC cat=end ConfigVersion=9.0 devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195 dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203 Rule=LAN-WAN_AllowAD usrName="jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=113464 RepeatCount= srcPort=56354 dstPort=443 srcPostNATPort=27427 dstPostNATPort=443 proto=tcp Action=allow Bytes=8298 srcBytes=3489 dstBytes=4809 totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z SessionDuration=11 URLCategory=computer-and-internet-info SequenceNo=887767286 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US srcPackets=1 dstPackets=11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ	`str`
rawSource	LEEF:2.0\|Palo Alto Networks\|LF\|2.0\|TRAFFIC\| \|TimeReceived=2021-03-09T11:23:14.000000Z DeviceSN=012001012124 EventID=TRAFFIC cat=end ConfigVersion=9.0 devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195 dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203 Rule=LAN-WAN_AllowAD usrName="jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=113464 RepeatCount= srcPort=56354 dstPort=443 srcPostNATPort=27427 dstPostNATPort=443 proto=tcp Action=allow Bytes=8298 srcBytes=3489 dstBytes=4809 totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z SessionDuration=11 URLCategory=computer-and-internet-info SequenceNo=887767286 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US srcPackets=1 dstPackets=11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ	`str`	rawMessage	✓

firewall.paloalto.system.leef

2021-03-11 15:28:01.062 localhost=127.0.0.1 firewall.paloalto.system.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|SYSTEM|   |LogTime=2021-03-11T15:28:00.000000Z    LogSourceID=012001017258    EventID=SYSTEM  cat=dhcp    ConfigVersion=0.0   devTime=2021-03-11T15:27:40.000000Z VirtualLocation=    EventName=lease-start   EventComponent= VendorSeverity=Informational    EventDescription=DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30    SequenceNo=6305112  DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName=  LogSourceName=pan-ml-nyc    DeviceGroup=    Template=   TimeGeneratedHighResolution=    devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ

And this is how the logs would be parsed:

Field	Value	Type	Source field name	Extra fields
eventdate	`2021-03-09 11:39:49.860`	`eventdate`
machine	`localhost`	`str`
future_use_1	`null`	`str`		✓
timestamp	`2021-03-09 11:23:02.000`	`timestamp`
recvdate	`2021-03-09 11:23:14.000`	`timestamp`
serial	`012001017258`	`str`
logType	`SYSTEM`	`str`		✓
subType	`dhcp`	`str`
future_use_2	0.0	`str`		✓
vsys	null	`str`
eventId	lease-start	`str`
object	null	`str`
future_use_3		`str`
future_use_4		`str`
module		`str`
severity	Informational	`timestamp`
opaque	DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30	`str`		✓
description	DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30	`str`	opaque
actionflags		`str`
dev_group_hierarchy_1	`0`	`int4`
dev_group_hierarchy_2	`0`	`int4`
dev_group_hierarchy_3	`0`	`int4`
dev_group_hierarchy_4	`0`	`int4`
virtual_sys_name	`null`	`str`
device_name	`null`	`str`
client		`str`	vclient	✓
hostchain	`localhost=127.0.0.1`	`str`		✓
tag	`firewall.paloalto.system.leef`	`str`		✓
rawMessage	LEEF:2.0\|Palo Alto Networks\|LF\|2.0\|SYSTEM\| \|LogTime=2021-03-11T15:28:00.000000Z LogSourceID=012001017258 EventID=SYSTEM cat=dhcp ConfigVersion=0.0 devTime=2021-03-11T15:27:40.000000Z VirtualLocation= EventName=lease-start EventComponent= VendorSeverity=Informational EventDescription=DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 SequenceNo=6305112 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= LogSourceName=pan-ml-nyc DeviceGroup= Template= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ	`str`

firewall.paloalto.threat.leef

2021-03-11 09:18:39.383 localhost=127.0.0.1 firewall.paloalto.threat.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|THREAT|   |TimeReceived=2021-03-11T09:18:37.000000Z   DeviceSN=012001012124   EventID=THREAT  cat=vulnerability   ConfigVersion=9.0   devTime=2021-03-11T09:18:22.000000Z src=192.168.1.232   dst=140.82.114.3    srcPostNAT=211.24.95.14 dstPostNAT=140.82.114.3 Rule=LAN-WAN_AllowAD    usrName=    DestinationUser=    Application=ssh VirtualLocation=vsys1   FromZone=LAN    ToZone=WAN_TIME InboundInterface=ethernet1/4    OutboundInterface=ethernet1/2   LogSetting=Log-Forwarding   SessionID=112575    RepeatCount=2   srcPort=50176   dstPort=22  srcPostNATPort=53783    dstPostNATPort=22   proto=tcp   Action=drop FileName=   ThreatID=SSH User Authentication Brute Force Attempt(40015) VendorSeverity=High DirectionOfAttack=client to server  SequenceNo=154995599    SourceLocation=192.168.0.0-192.168.255.255  DestinationLocation=US  PacketID=0  FileHash=   ApplianceOrCloud=   URLCounter=0    FileType=   SenderEmail=    EmailSubject=   RecipientEmail= ReportID=0  DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName=  DeviceName=pan-ml-kl    SourceUUID= DestinationUUID=    IMSI=0  IMEI=   ParentSessionID=0   ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A  ThreatCategory=brute-force  ContentVersion=549329324    SigFlags=0x0    RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be   HTTP2Connection=0   DynamicUserGroupName=   X-Forwarded-ForIP=  SourceDeviceCategory=   SourceDeviceProfile=    SourceDeviceModel=  SourceDeviceVendor= SourceDeviceOSFamily=   SourceDeviceOSVersion=  SourceDeviceHost=   SourceDeviceMac=    DestinationDeviceCategory=  DestinationDeviceProfile=   DestinationDeviceModel= DestinationDeviceVendor=    DestinationDeviceOSFamily=  DestinationDeviceOSVersion= DestinationDeviceHost=  DestinationDeviceMac=   ContainerID=    ContainerNameSpace= ContainerName=  SourceEDL=  DestinationEDL= HostID= EndpointSerialNumber=   DomainEDL=  SourceDynamicAddressGroup=  DestinationDynamicAddressGroup= PartialHash=    TimeGeneratedHighResolution=    NSSAINetworkSliceType=  devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ

And this is how the logs would be parsed:

Field	Value	Type	Source field name	Extra fields
eventdate	`2021-03-11 09:18:39.383`	`eventdate`
machine	`localhost`	`str`
future_use	`null`	`str`		✓
createdate	`2021-03-11 09:18:22.000`	`timestamp`		✓
timestamp	`2021-03-11 09:18:22.000`	`timestamp`	createdate
recvdate	`2021-03-11 09:18:37.000`	`timestamp`
serial	`012001012124`	`str`
logType	`TRAFFIC`	`str`		✓
subType	`vulnerability`	`str`
confVer	`9.0`	`str`		✓
srcIp	`192.168.1.232`	`ip4`
dstIp	`140.82.114.3`	`ip4`
srcXIp	`211.24.95.14`	`ip4`		✓
dstXIp	`140.82.114.3`	`ip4`		✓
srcNatIp	`211.24.95.14`	`ip4`	srcXIp
dstNatIp	`140.82.114.3`	`ip4`	dstXIp
rule	`LAN-WAN_AllowAD`	`str`
srcUser	`null`	`str`
dstUser	`null`	`str`
app	`ssh`	`str`
virtSys	`vsys1`	`str`
srcZone	`LAN`	`str`
dstZone	`WAN_TIME`	`str`
srcIface	`ethernet1/4`	`str`
dstIface	`ethernet1/2`	`str`
logAction	`Log-Forwarding`	`str`
logdate	`null`	`timestamp`		✓
session	`112575`	`str`
repCnt	`22`	`int4`
srcPort	`50176`	`int4`
dstPort	`22`	`int4`
srcXPort	`53783`	`int4`
dstXPort	`22`	`int4`
srcNatPort	`53783`	`int4`	srcXPort
dstNatPort	`22`	`int4`	dstXPort
flags	`null`	`str`
proto	`tcp`	`str`
action	`drop`	`str`
misc	`null`	`str`		✓
url_filename	`null`	`str`	misc
threatid	`SSH User Authentication Brute Force Attempt(40015)`	`str`
category	`null`	`str`
severity	`High`	`str`
direction	`client to server`	`str`
seqno	`154995599`	`int8`
actionflags	`null`	`str`
srcloc	`192.168.0.0-192.168.255.255`	`str`
dstloc	`US`	`str`
cpadding	`null`	`int4`
contenttype	`null`	`str`
pcadId	`0`	`int8`
pcapId	`0`	`int8`	pcadId
fileDigest	`null`	`str`
cloud	`null`	`str`
urlIdx	`0`	`int4`
userAgent	`null`	`str`
fileType	`null`	`str`
xff	`null`	`str`
referer	`null`	`str`
sender	`null`	`str`
subject	`null`	`str`
recipient	`null`	`str`
reportid	`0`	`int8`
dgHierLevel1	`0`	`int4`
dgHierLevel2	`0`	`int4`
dgHierLevel3	`0`	`int4`
dgHierLevel4	`0`	`int4`
vsysName	`null`	`str`
deviceName	`pan-ml-kl`	`str`
future_use_1	`null`	`str`		✓
srcVMuuid	`null`	`str`
dstVMuuid	`null`	`str`
httpMethod	`null`	`str`
tunnelIDimsi	`0`	`str`
monitorTagIMEI	`null`	`str`
parentSessID	`0`	`int8`
parentStartTime	`1970-01-01 00:00:00.000`	`timestamp`
tunnel	`N/A`	`str`
thrCategory	`brute-force`	`str`
contentver	`549329324`	`str`
future_use_2	`0x0`	`str`		✓
sctpAssociationID	`null`	`int8`
payloadProtocolID	`null`	`int8`
httpHeaders	`null`	`str`
urlCategoryList	`null`	`str`
uuidForRule	`e97a0d84-24e4-4556-ae9d-32dc0fbd59be`	`str`
http2Connection	`0`	`str`
client	`null`	`str`	vclient	✓
hostchain	`localhost=127.0.0.1`	`str`		✓
tag	`firewall.paloalto.threat.leef`	`str`		✓
rawMessage	LEEF:2.0\|Palo Alto Networks\|LF\|2.0\|THREAT\| \|TimeReceived=2021-03-11T09:18:37.000000Z DeviceSN=012001012124 EventID=THREAT cat=vulnerability ConfigVersion=9.0 devTime=2021-03-11T09:18:22.000000Z src=192.168.1.232 dst=140.82.114.3 srcPostNAT=211.24.95.14 dstPostNAT=140.82.114.3 Rule=LAN-WAN_AllowAD usrName= DestinationUser= Application=ssh VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=112575 RepeatCount=2 srcPort=50176 dstPort=22 srcPostNATPort=53783 dstPostNATPort=22 proto=tcp Action=drop FileName= ThreatID=SSH User Authentication Brute Force Attempt(40015) VendorSeverity=High DirectionOfAttack=client to server SequenceNo=154995599 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US PacketID=0 FileHash= ApplianceOrCloud= URLCounter=0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID=0 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A ThreatCategory=brute-force ContentVersion=549329324 SigFlags=0x0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= HostID= EndpointSerialNumber= DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash= TimeGeneratedHighResolution= NSSAINetworkSliceType= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ	`str`